|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: VPN clients and security models
On Tue, 28 Jan 2003 11:52:39 EST, [email protected] said: > Welcome to the world of formal security models. If in theory a VPN is > nothing more than a tool of extending the security policy of a site to a > remote location, then it does not matter what kind of things you try to > achieve with it, it *wont* work for anything other than extending a security > model of a site to a remote location. Can one try to use it for something > else? Sure, one can. It may even work for a little bit, as long as it does > not contradict that security model. Right. In the *formal* sense, this is correct. But that's not how things work out in the Real World. As I pointed out before, you have *USERS* involved, and they'll do stupid things like try to connect their laptop to the internet. And as I also pointed out, if the head of a TLA screws up and Gets This Wrong, why should we expect untrained, non-security-aware users to Get It Right? The problem is exacerbated by the fact that these mobile laptops are usually *NOT* configured like a kiosk, where the user is unable to make any changes. > that site, then why are you not using the site mail server or why is the VPN > client lets you not use it? If it does not enforce the site's security > policy, then it is a BAD VPN client. And when the VPN client isn't even running, what stops the user from changing the mail software config to fetch his mail from some other server like AOL or MSN or whatever? Remember - users do NOT care about security. Users care about finishing whatever task THEY are busy with, which is almost never security. -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech Attachment:
pgp00023.pgp
|